Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gzhttp: Add BREACH mitigation #762

Merged
merged 4 commits into from
Feb 28, 2023
Merged

gzhttp: Add BREACH mitigation #762

merged 4 commits into from
Feb 28, 2023

Commits on Feb 27, 2023

  1. gzhttp: Add BREACH mitigation 

    See #761

## BREACH mitigation

[BREACH](http://css.csail.mit.edu/6.858/2020/readings/breach.pdf) is a specialized attack where attacker controlled data
is injected alongside secret data in a response body. This can lead to sidechannel attacks, where observing the compressed response
size can reveal if there are overlaps between the secret data and the injected data.

For more information see https://breachattack.com/

It can be hard to judge if you are vulnerable to BREACH.
In general, if you do not include any user provided content in the response body you are safe,
but if you do, or you are in doubt, you can apply mitigations.

`gzhttp` can apply [Heal the Breach](https://ieeexplore.ieee.org/document/9754554), or improved content aware padding.

```Go
// RandomJitter adds 1->n random bytes to output based on checksum of payload.
// Specify the amount of input to buffer before applying jitter.
// This should cover the sensitive part of your response.
// This can be used to obfuscate the exact compressed size.
// Specifying 0 will use a buffer size of 64KB.
// If a negative buffer is given, the amount of jitter will not be content dependent.
// This provides *less* security than applying content based jitter.
func RandomJitter(n, buffer int) option {
...
```

The jitter is added as a "Comment" field. This field has a 1 byte overhead, so actual extra size will be 2 -> n+1 (inclusive).

A good option would be to apply 32 random bytes, with default 64KB buffer: `gzhttp.RandomJitter(32, 0)`.

Note that flushing the data forces the padding to be applied, which means that only data before the flush is considered for content aware padding.

### Examples

Adding the option `gzhttp.RandomJitter(32, 50000)` will apply from 1 up to 32 bytes of random data to the output.

The number of bytes added depends on the content of the first 50000 bytes, or all of them if the output was less than that.

Adding the option `gzhttp.RandomJitter(32, -1)` will apply from 1 up to 32 bytes of random data to the output.
Each call will apply a random amount of jitter. This should be considered less secure than content based jitter.

This can b
    @klauspost
    klauspost committed Feb 27, 2023
    Configuration menu
    Copy the full SHA
    88aef16 View commit details
    Browse the repository at this point in the history

  2. Fix 32 bit overflow.

    @klauspost
    klauspost committed Feb 27, 2023
    Configuration menu
    Copy the full SHA
    df876b8 View commit details
    Browse the repository at this point in the history

Commits on Feb 28, 2023

  1. Use SHA256 instead.

    @klauspost
    klauspost committed Feb 28, 2023
    Configuration menu
    Copy the full SHA
    f87da94 View commit details
    Browse the repository at this point in the history

  2. Add information about the padding.

    @klauspost
    klauspost committed Feb 28, 2023
    Configuration menu
    Copy the full SHA
    223c9fd View commit details
    Browse the repository at this point in the history